If you experienced trouble during the last Debian upgrade with some implementations of SSH other than OpenSSH, you might want to try again. I had to opportunity to tweak the configuration when working on the new CVS infrastructure, and this may have fixed that issue. Feedback is welcome :)

Technically, OpenSSH makes assumptions about the use of the shadow file that differ from PAM's and this caused the 'password' authentication method to fail. I had removed it so that old OpenSSH clients (such as MinGW's) didn't get asked trice for password before to fall back to 'keyboard-interactive', provided by PAM. However some other implementations apparently didn't support the 'keyboard-interactive'. Now that 'password' is fixed and provided again, those SSH clients may be happy now.

Note: that only applies to anoncvs access; pubkey access was not concerned by the issue.